It is currently Wed Nov 20, 2019 11:40 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Let me tell you my dilemma
PostPosted: Thu Aug 08, 2019 8:21 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Fri Mar 27, 2009 9:41 am
Posts: 730
Location: Athens, Greece
Since a few months ago, I have a dilemma. I want to make a project that will access a database. As the db will be accessed by many computers, not all in the same physical building, the db must be on a server. In my profession, we use some servers for mail, hosting, etc. Those servers, running Linux (RedHat x64) offer db hosting that can be accessed only by php and edited by phpmyadmin, no other way. So, in my case, there are two solutions:
1) make a php project that will access the db and do all the work (authentication, show data, forms for input, etc).
2) make a PB app which will communicate with a web service that will do read/write from /to the db.
In both cases, security is needed. The server supports TLS but pages are shown via http, no https. So my php files will have no security. On the other hand, the web service needs to run 24/7. I don't have the right to do it. I don't know how to do. I have tried to contact with the server stuff with no success. I prefer the second one as it is easier to make the client and the web service (don't know to connect with TLS but I know to use AES, even QAES which was posted in Tips and tricks a few weeks ago with PB's native network commands).

So, if you were me, what would you do?

(If I were me, I would change planet to find peace of mind.)


Top
 Profile  
Reply with quote  
 Post subject: Re: Let me tell you my dilemma
PostPosted: Sun Aug 11, 2019 3:19 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Fri Mar 27, 2009 9:41 am
Posts: 730
Location: Athens, Greece
A friend gave me a good advice. Have a php file in the web service role to do the db job for PB clients. I am thinking of this: php needs db name and password to access the db. Also the user needs authentication. So, the PB client makes a string like:
Code:
dbname="...."|dbpass="..."|username="...."|userpass="..."|query="....."
that string will be AES encrypted and then pass through Base64 to become text, I add initial's string CRC code (for validity) at the end of Base64 and send it to the php. The php file will decrypt the string and use it to run the query. If db name and password are wrong or username and password are wrong then no query execution.

There is a disadvantage in this solution. Db name and password must be known to the client. I am thinking to store them in pre-encrypted Base64 string with AES (different key) and some other XOR procedures that I have. If someone downloads php file, these strings will be useless without my app.

So, what do you think?


Top
 Profile  
Reply with quote  
 Post subject: Re: Let me tell you my dilemma
PostPosted: Sun Aug 11, 2019 5:59 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Sep 11, 2016 2:17 pm
Posts: 568
Maybe u can use a unique UserId instead of Password and Username.


Top
 Profile  
Reply with quote  
 Post subject: Re: Let me tell you my dilemma
PostPosted: Sun Aug 11, 2019 6:05 pm 
Offline
Addict
Addict
User avatar

Joined: Tue Oct 09, 2007 2:15 am
Posts: 1090
dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
so all the db stuff is doing with php and pb is only to send the requests.

_________________
PureBasic 5.71 LTS (Windows x86/x64) | Windows10 Pro x64 | Z370 Extreme4 | i7 8770k | 32GB RAM | iChill GeForce GTX 980 X4 Ultra | HAF XF Evo​​
English is not my native language... (I often use DeepL to translate my texts.)


Top
 Profile  
Reply with quote  
 Post subject: Re: Let me tell you my dilemma
PostPosted: Sun Aug 11, 2019 6:36 pm 
Offline
Addict
Addict

Joined: Sun Sep 07, 2008 12:45 pm
Posts: 4423
Location: Germany
One other idea:

replace the libmariadb and lib with the one from:

https://mariadb.com/download-confirmati ... 11.57%20MB

Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.

I can not try it at the moment.


Top
 Profile  
Reply with quote  
 Post subject: Re: Let me tell you my dilemma
PostPosted: Sun Aug 11, 2019 7:51 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Fri Mar 27, 2009 9:41 am
Posts: 730
Location: Athens, Greece
Bisonte wrote:
dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
before entering phpmyadmin the db managing system tells me the db name and password. Without them the php cannot connect.
Bisonte wrote:
so all the db stuff is doing with php and pb is only to send the requests.
exactly!

infratec wrote:
One other idea:

replace the libmariadb and lib with the one from:

https://mariadb.com/download-confirmati ... 11.57%20MB

Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.

I can not try it at the moment.

I don't have hands on the server, I am just a user, not admin. Can I still install it on Linux? The server has cURL, can it be useful?

EDIT : the server supports TLS, I've seen it in Filezilla when it connects to upload files.


Mijikai wrote:
Maybe u can use a unique UserId instead of Password and Username.
How will the user authenticate? Create a hush with the credentials and save it to the db?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye